Set up VPC Service Controls for Application Integration

VPC Service Controls lets you define a security perimeter around the Application Integration Google Cloud service. With the security perimeter around your service, you can constrain data within a VPC and mitigate data exfiltration risks. If you are not already familiar with VPC Service Controls, it is recommended that you go through the following information:

This document describes how to set up a VPC Service Controls perimeter for the Application Integration service. After you have set up the perimeter, you can configure egress and ingress policies that determine what other Google Cloud services can access the Application Integration service (integrations.googleapis.com) and conversely what services the Application Integration service can access.

Before you begin

Ensure that you have the required permissions to configure service perimeters. To view a list of IAM roles required to configure VPC Service Controls, see Access control with IAM in the VPC Service Controls documentation.

Create a VPC service perimeter

To create a VPC service perimeter you can use either the Google Cloud console, or the gcloud command, or the accessPolicies.servicePerimeters.create API. For more information, see Create a service perimeter. To create a VPC Service Controls perimeter provide access to the user by using the gcloud commands, run the following command:

gcloud access-context-manager perimeters create  \
    --title=PERIMETER_TITLE \
    --resources=projects/PROJECT_ID \
    --restricted-services=integrations.googleapis.com \
Replace the following:
  • PERIMETER_TITLE: the name of the VPC Service Controls perimeter
  • PROJECT_ID: the project for which you want to add the VPC Service Controls perimeter

The preceding command takes some time to complete. The VPC Service Controls perimeter restricts integration services for your project when using the Application Integration services.

To allow any IP addresses, service accounts, or users to use Application Integration, use the ingress and egress rules. VPC Service Controls uses ingress and egress rules to allow access to and from the resources and clients protected by service perimeters.

Add egress policy to an existing service perimeter

To add an egress policy to an existing service perimeter, use the gcloud access-context-manager perimeters update command. For example, the following command adds an egress policy defined in the vpcsc-egress.yaml file to an existing service perimeter named integrationPerimeter:

gcloud access-context-manager perimeters update integrationPerimeter
    --set-egress-policies=vpcsc-egress.yaml

Similar to an egress policy, you can also define an ingress policy. To learn more about specifying ingress rules, see Ingress rules reference.

Verify your perimeter

To verify the perimeter, use the gcloud access-context-manager perimeters describe PERIMETER_NAME command. For example, the following command describes the integrationPerimeter perimeter:

gcloud access-context-manager perimeters describe integrationPerimeter

For more information about managing service perimeters, see Managing service perimeters.

Considerations

If you have enabled VPC service perimeter for the Application Integration service, you will not be able to use the following tasks in your integrations:

What's next

Learn how VPC Service Controls protects your data.